Plugins » Katello

Recent changes to permissions in Katello seem to have broken subscription manager's registration functionality in the GUI.

The failure occurs when subman attempts to update the system's package profile during its registration process and is due to a permissions error.

Currently subscription manager expects that the package profile can be updated via basic auth (admin user) and consumer auth (oauth), and it appears that an admin via basic auth is no longer able to make this call.

Registration via the subman CLI is different (and working) because it creates a new connection using the newly aquired consumer id cert and uses it to update the package profile. We can fix this in subamn, but it will still be broken for old subman clients. We have to support both.

Generally in subscription manager, most 'consumer' related API calls are made via consumer id cert, however, many of them can be made via basic auth (a user who has permissions).

The following should be checked to ensure that the API can be called via basic auth.

Basic Auth (User)
---------------------------
GET /
GET /users/{user_uuid}/owners
GET /owners/{owner_key}/environments
POST /environments/{environment}/consumers (registration)
PUT /consumers/{consumer_uuid}/packages

POST /consumers/{consumer_uuid} (force regen of identity certificate)
GET /owners/{org_id}/servicelevels
PUT /hypervisors

Exception details:

[DEBUG 2014-05-27 10:18:38 cp_proxy] Checking  params  for katello/api/v1/candlepin_proxies/upload_package_profile
  Katello::System Load (0.6ms)  SELECT "katello_systems".* FROM "katello_systems" WHERE "katello_systems"."uuid" = '0b7712ee-42ad-4ed4-9141-b61cd3ba6116' LIMIT 1
  Rendered api/v1/errors/access_denied.json.rabl (1.4ms)
Filter chain halted as :authorize_client rendered or redirected
Completed 403 Forbidden in 37.4ms (Views: 30.7ms | ActiveRecord: 0.6ms)
With body: {"message":"Access denied","details":null}